Skip navigation

BIND DNS Setup Idea?

1203 Views 3 Replies Latest reply: Feb 12, 2013 7:11 PM by Michael Ojaste RSS
Michael Ojaste Level 3 Level 3 (530 points)
Currently Being Moderated
Feb 10, 2013 7:35 AM

Fun with BIND and OS X Server. Those who know, know.

What I am trying to archive is to have full control over my domain forward and reverse DNS. I already got the ISP to point to my rDNS they used a "-" instead of "/" so not sure how BIND sees that yet. I have read it's the same only a syntax change. Now to my problem.

I setup the reverse Zone file correctly and all the response to Local CLI where perfect, host, nslookup, dig, etc, including dscacheutil  The problem was letting the outside world see it. Every Query that started to come in was (denied) PTR, A, etc. I tried a bunch of different entire to the named.conf and then to the SA file "publicView.conf.apple"

I tried "allow-query { any;  };" both in zone list and in named.conf. I tried "query-source address * port *;" since I saw from the logs that the (denied) queries came in on none 53 ports. Nothing I had tried would allow a Query of the 208-28.xx.xxx.xxx.in-addr.arpa. zone. Mind you outside queries of forward DNS worked and local queries of both Fwd an Rev worked.

In the end I had to open the "allow-recursion {"com.apple.ServerAdmin.DNS.public";};" to "any" and it worked. Now I can not or do not want to leave it this way and also I currently broke SA access to the files.

So Option?

1. Can anyone tell me what I can do to keep the allow-recursion ACL in place but allow queries to my 208-28.xx.xxx.xxx.in-addr.arpa. zone to work?

 

2. If "allow-recursion" has to be open for rDNS to work can I create "view "all" { zone "208-28.xx.xxx.xxx.in-addr.arpa" IN  { type master; ...};}; type entry in the named.conf after (or before) "include "/etc/dns/publicView.conf.apple";"? I would also put back the default rDNS zone so SA will work but I'll manually edit the custom rDNS zone.

My thing is I am no BIND expert and not sure if I can have 2 "view" statements or if it should go before or after the "include" in named.conf.

 

Any help will get you a gold star, lol.

Mac Pro, Mac OS X (10.6.8), Server 2 x 2.66Ghz intel Xeon 2006
  • MrHoffman Level 6 Level 6 (11,745 points)
    Currently Being Moderated
    Feb 10, 2013 8:33 AM (in response to Michael Ojaste)

    Has your ISP delegated DNS for your IP addresses to your DNS servers?  (That's somewhat unusual, and it's not something I'd generally recommend, and you'll probably want multiple DNS servers.)

     

    If you're not sure about that, ask your ISP, or (from outside) see what DNS server is configured as authoritative for the reverse translations.

     

    I might infer you do based on that zone transfer, but would prefer to confirm this.

     

    You'll probably want to dedicate these servers and probably also in a DMZ, as DNS servers are targets for attacks, and OS X Server wouldn't be my preferred choice for hosting public DNS; you're going to go around Server.app or Server Admin.app tools, to get where you need.

     

    If there's NAT involved here, my preference would be to leave DNS at the provider, and to host DNS (within the NAT'd network) locally.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.